svn commit: r237 - trunk/mapbender/http/php/mod_filteredGui_filteredUser.php

uli at osgeo.org uli at osgeo.org
Thu May 11 05:17:16 EDT 2006 

Author: uli
Date: 2006-05-11 09:17:16+0000
New Revision: 237

Modified:
   trunk/mapbender/http/php/mod_filteredGui_filteredUser.php

Log:
db_prep_query included
verification of user permissions

Modified: trunk/mapbender/http/php/mod_filteredGui_filteredUser.php
Url: https://mapbender.osgeo.org/source/browse/mapbender/trunk/mapbender/http/php/mod_filteredGui_filteredUser.php?view=diff&rev=237&p1=trunk/mapbender/http/php/mod_filteredGui_filteredUser.php&p2=trunk/mapbender/http/php/mod_filteredGui_filteredUser.php&r1=236&r2=237
==============================================================================
--- trunk/mapbender/http/php/mod_filteredGui_filteredUser.php	(original)
+++ trunk/mapbender/http/php/mod_filteredGui_filteredUser.php	2006-05-11 09:17:16+0000
@@ -1,6 +1,7 @@
 <?php
 # $Id$
-# $Head$
+# http://www.mapbender.org/index.php/Administration
+#
 # Copyright (C) 2002 CCGIS 
 #
 # This program is free software; you can redistribute it and/or modify
@@ -61,9 +62,6 @@
 </head>
 <body>
 <?php
-require_once("../../conf/mapbender.conf");
-$con = db_connect($DBSERVER,$OWNER,$PW);
-db_select_db(DB,$con);
 
 require_once("../php/mb_getGUIs.php");
 
@@ -79,19 +77,22 @@
 
 $logged_user_name=$_SESSION["mb_user_name"];
 $logged_user_id=$_SESSION["mb_user_id"];
-#echo $_SESSION["mb_user_name"];
 
-/*handle remove, update and insert**************************************************************************************/
+/*handle remove, update and insert*****************************************************************/
 if($insert){
 	if(count($selected_user)>0){
 		for($i=0; $i<count($selected_user); $i++){
 			$exists = false;
-			$sql_insert = "SELECT * from gui_mb_user where fkey_gui_id = '".$selected_gui."' and fkey_mb_user_id = '".$selected_user[$i]."'";
-			$res_insert = db_query($sql_insert);
+			$sql_insert = "SELECT * from gui_mb_user where fkey_gui_id = $1 and fkey_mb_user_id = $2 ";
+			$v = array($selected_gui,$selected_user[$i]);
+			$t = array('s','i');
+			$res_insert = db_prep_query($sql_insert,$v,$t);
 			while(db_fetch_row($res_insert)){$exists = true;}
 			if($exists == false){
-				$sql_insert = "INSERT INTO gui_mb_user(fkey_gui_id, fkey_mb_user_id) VALUES('$selected_gui', '".$selected_user[$i]."');";
-				$res_insert = db_query($sql_insert);
+				$sql_insert = "INSERT INTO gui_mb_user(fkey_gui_id, fkey_mb_user_id) VALUES($1, $2)";
+				$v = array($selected_gui,$selected_user[$i]);
+				$t = array('s','i');
+				$res_insert = db_prep_query($sql_insert,$v,$t);
 			}
 		}
 	}
@@ -99,52 +100,63 @@
 if($remove){
 	if(count($remove_user)>0){
 		for($i=0; $i<count($remove_user); $i++){
-			$sql_remove = "DELETE FROM gui_mb_user WHERE fkey_mb_user_id = '".$remove_user[$i]."' and fkey_gui_id = '$selected_gui'";
-			db_query($sql_remove);
+			$sql_remove = "DELETE FROM gui_mb_user WHERE fkey_mb_user_id = $1 and fkey_gui_id = $2";
+			$v = array($remove_user[$i],$selected_gui);
+			$t = array('i','s');
+			db_prep_query($sql_remove,$v,$t);
 		}
 	}
 }
 
 
-/*get allocated gui  ********************************************************************************************/
+/*get allocated gui  ******************************************************************************/
 
 $arrayGuis=mb_getGUIs($logged_user_id);
-
+$v = array();
+$t = array();
 $sql_gui = "SELECT * FROM gui WHERE gui_id IN (";
 
 for($i=0; $i<count($arrayGuis); $i++){
 	if($i>0){ $sql_gui .= ",";}
-	$sql_gui .= "'".$arrayGuis[$i]."'";
+	$sql_gui .= "$".($i+1);
+	array_push($v,$arrayGuis[$i]);
+	array_push($t,'s');
 }
 $sql_gui.= ") ORDER BY gui_name";
 
 
-$res_gui = db_query($sql_gui);
+$res_gui = db_prep_query($sql_gui,$v,$t);
 while($row = db_fetch_array($res_gui)){
 	$gui_id_array[$cnt_gui] = $row["gui_id"];
 	$gui_name[$cnt_gui] = $row["gui_name"];
 	$cnt_gui++;
 }
 
-/*get only owner user **********************************************************************************************/
-$sql_user = "SELECT * FROM mb_user WHERE mb_user_owner=".$logged_user_id." ORDER BY mb_user_name";
-$res_user = db_query($sql_user);
+/*get only owner user *****************************************************************************/
+$sql_user = "SELECT * FROM mb_user WHERE mb_user_owner = $1 ORDER BY mb_user_name";
+$v = array($logged_user_id);
+$t = array('i');
+$res_user = db_prep_query($sql_user,$v,$t);
 while($row = db_fetch_array($res_user)){
 	$user_id[$cnt_user] = $row["mb_user_id"];
 	$user_name[$cnt_user] =  $row["mb_user_name"];
 	$cnt_user++;
 }
 
-/*get only owner user from selected gui******************************************************************************/
+/*get only owner user from selected gui************************************************************/
 $sql_gui_mb_user = "SELECT mb_user.mb_user_id, mb_user.mb_user_name, gui_mb_user.fkey_gui_id FROM gui_mb_user ";
 $sql_gui_mb_user .= "INNER JOIN mb_user ON gui_mb_user.fkey_mb_user_id = mb_user.mb_user_id ";
-$sql_gui_mb_user .= "WHERE gui_mb_user.fkey_gui_id= '";
+$sql_gui_mb_user .= "WHERE gui_mb_user.fkey_gui_id = $1 ";
 
-if(!$selected_gui){$sql_gui_mb_user .= $gui_id_array[0];}
-if($selected_gui){$sql_gui_mb_user .= $selected_gui;}
-$sql_gui_mb_user .= "' AND  mb_user.mb_user_owner = '".$logged_user_id."'";
+if(!$selected_gui){$v = array($gui_id_array[0]);}
+if($selected_gui){$v = array($selected_gui);}
+$t = array('s');
+
+$sql_gui_mb_user .= " AND  mb_user.mb_user_owner = $2 ";
+array_push($v,$logged_user_id);
+array_push($t,'i');
 $sql_gui_mb_user .= " ORDER BY mb_user.mb_user_name";
-$res_gui_mb_user = db_query($sql_gui_mb_user);
+$res_gui_mb_user = db_prep_query($sql_gui_mb_user,$v,$t);
 while($row = db_fetch_array($res_gui_mb_user)){
 	$user_id_gui[$cnt_gui_user] = $row["mb_user_id"];
 	$user_name_gui[$cnt_gui_user] =  $row["mb_user_name"];
@@ -155,7 +167,7 @@
 /*INSERT HTML*/
 
 echo "<form name='form1' action='" . $self ."' method='post'>";
-/*insert guis in selectbox*************************************************************************************/
+/*insert guis in selectbox*************************************************************************/
 echo "<div class='text1'>GUI: </div>";
 echo "<select style='background:#ffffff' class='select1' name='selected_gui' onChange='submit()' size='10'>";
 for($i=0; $i<$cnt_gui; $i++){
@@ -167,7 +179,7 @@
 }
 echo "</select>";
 
-/*insert all user in selectbox**************************************************************************/
+/*insert all user in selectbox*********************************************************************/
 echo "<div class='text2'>USER:</div>";
 echo "<select style='background:#ffffff' class='select2' multiple='multiple' name='selected_user[]' size='$fieldHeight' >";
 for($i=0; $i<$cnt_user; $i++){
@@ -175,7 +187,7 @@
 }
 echo "</select>";
 
-/*Button****************************************************************************************************/
+/*Button*******************************************************************************************/
 
 echo "<div class='button1'><input type='button'  value='==>' onClick='validate(\"insert\")'></div>";
 echo "<input type='hidden' name='insert'>";

More information about the Mapbender_commits mailing list